System and method for evaluation of money transfer patterns

ABSTRACT

A system and method for evaluating records of money transfers for suspicious or irregular transaction patterns. A fraud processing server evaluates money transfer records by blocks, each block consisting of records having the same characteristic relating to location, such as the country where the transfer originates. A second characteristic of the records, such as value, sending agent, or time-of-day, is aggregated and compared to a threshold value. If the threshold value is met, the block of records is analyzed to identify individual records that are suspicious or irregular.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a continuation-in-part of U.S. patent applicationSer. No. 10/091,000, filed Mar. 4, 2002, entitled “Money TransferEvaluation Systems And Methods,” the entire disclosure of which ishereby incorporated by reference.

BACKGROUND OF THE INVENTION

Electronic transactions, such as electronic money transfers, play animportant role in today's economy. Money transfers may be performed in avariety of ways, including, for example, by using the Internet, by usinga phone to contact a service representative or an IVR system, by anin-person visit to a financial institution or money transfer location,and the like. For example, to perform a money transfer transaction asender may visit a money transfer location and fill out a money transferapplication. This application may request, among other things, the nameof the sender, the name of the recipient, a pick-up location, the amountof money to be transferred, and depending on the amount, certain kindsof identifying data (such as sender's driver license number, socialsecurity number, and so forth). This information is transmitted to acentral database, and the money to be transferred is collected from thesender. When ready to receive the money, the recipient may proceed tothe pick-up location and provide the proper identification. The databaseis accessed to confirm the recipient and to determine the amount ofmoney to be paid to the recipient. After payment, the date and time ofpayment may also be transmitted to the database.

It has been reported that some have attempted to abuse money transfersystems, such as persons associated with organized crime, drug dealers,terrorist organizations and the like. Various procedures exist to curbsuch abuses. For example, the United States government has implementedlaws and regulations with reporting and other requirements that aim toreduce the improper use of monetary transfer transactions. For example,in the United States current money transfer regulations require a senderprovide a photo ID if a transaction is $1000 or more, and two IDs and asocial security number if a transfer is $3000 or above. However,reporting requirements are well known to criminal elements, and are thuseasily avoided by manipulating money transfer activities to avoiddetection. In addition, regulatory reporting requirements may be usefulin detecting suspicious individual transactions after they have beenconducted, but are not useful to detect groups of transactions thatindividually are not suspicious, but taken as a whole may indicatepatterns of transactions or activity that are suspicious or irregular.

BRIEF SUMMARY OF THE INVENTION

There is provided, in accordance with embodiments of the presentinvention, a network/system and method for detecting and evaluatingsuspicious or irregular patterns of money transfer transactions.

In one embodiment, a method for evaluating electronic money transfersincludes electronically storing records of money transfer requests, eachrecord having a first data field representing a first characteristic ofthe money transfer request and a second data field representing a secondcharacteristic of the money transfer request, sorting the money transferrecords to create at least one data block where the records all have thesame first characteristic (such as location), calculating a collectivevalue for the second characteristic, comparing the collective valueagainst a predetermined threshold value, indicating a potentiallysuspicious/irregular money transfer pattern if the collective valuemeets the threshold value, and analyzing individual records within theblock for irregular money transfers if an irregular money transferpattern has been indicated.

A more complete understanding of the present invention may be derived byreferring to the detailed description of the invention and to theclaims, when considered in connection with the Figures.

BRIEF DESCRIPTION OF THE DRAWINGS

In the Figures, similar components and/or features may have the samereference label. Further, various components of the same type may bedistinguished by following the reference label with a second label thatdistinguishes among the similar components. If only the first referencelabel is used in the specification, the description is applicable to anyone of the similar components having the same first reference labelirrespective of the second reference label.

FIG. 1 is a block diagram illustrating a money transfer system accordingto one embodiment of the invention.

FIG. 2 illustrates in greater detail the money transfer system of FIG.1.

FIG. 3 is a flow diagram illustrating a process for evaluating moneytransfer records in the system of FIGS. 1 and 2.

FIG. 4 is a flow diagram illustrating steps within the process of FIG. 3for evaluating blocks of records for suspicious patterns of moneytransfers.

FIG. 5 a illustrates an example of evaluating a block of money transferrecords, using transaction value bands.

FIG. 5 b illustrates a second example of evaluating a block of moneytransfer records, using time-of-day data.

FIG. 6 is an example of one method for analyzing a block of records thathas been identified as having a suspicious pattern of money transfers.

DETAILED DESCRIPTION OF THE INVENTION

There are various embodiments and configurations for implementing thepresent invention. Generally, the embodiments provide systems andmethods for using blocks of money transfer records in order to identifyor indicate potentially suspicious or irregular money transfer patterns.If a block of money transfer records has a potentially irregularpattern, that block is then subjected to a more detailed analysis todetermine if specific transfers within the block are likely to becriminal, fraudulent or otherwise improper.

The evaluation of money transfer patterns provides many useful featuresand advantages. For example, suspicious money transfer patterns not onlyalert a system operator of the need to investigate further forfraudulent or criminal activity, but also provide a basis for monitoringmoney transfer agents and their compliance with standards and policiesfor accepting money transfer requests.

The evaluation of money transfers may include several major subprocesses. In some embodiments, the evaluation involves three subprocesses: sorting the money records into predefined blocks of data,evaluating the blocks for suspicious patterns, and then analyzing anyblock having a suspicious pattern.

In the first sub process (sorting all money transfer records into one ormore blocks), the blocks are sorted according to a first characteristic,which in disclosed embodiments relates to location. In specificexamples, the location may be associated with the country where themoney transfer request was made, or the agent network that processed themoney transfer request.

In the second sub process, the blocks are then evaluated for patternsthat indicate suspicious activity. For example, a money transfer systemoperator may periodically evaluate all money transfers being requestedwithin a specific country, and those transfers have been sorted into ablock of records in the first sub process (the sort may be done in abatch form, say at the end of each business day). Then, in the secondsub process that block of records is evaluated for indicators ofsuspicious activities by collectively looking at one or more secondcharacteristics of the records (different than the firstcharacteristic). As examples, the second characteristic may relate tosomething other than location, such as the volume of activity, theaverage transferred amount, the number of transfers that fall within amonetary range or band that might be suspicious (e.g., very largeamounts, or very large numbers of smaller amounts), or the time of daythat money transfers are made.

In one specific example to be described below, the number oftransactions falling within certain ranges are counted. The ranges maybe selected to reflect regulatory requirements. For example, moneytransfers involving large amounts are required by authorities in somejurisdictions to be accompanied by additional sender identification(e.g., in the United States, two IDs plus a social security number ortax ID are required for transfers of $3000 or more, as opposed to only asingle photo ID if the money transfer is below $3000). A large count fortransactions in a selected range, e.g., just below $3000 (i.e.,$2800-2999), may indicate attempts by senders to avoid compliance withsuch regulatory requirements. There are, of course, many possiblecharacteristics/patterns that may be evaluated in each block (as will bedescribed below).

Finally, a third sub process is used to analyze any block that has beenindicated as having suspicious patterns. This analysis could be manual(especially if the block is not large), but more likely would becomputerized. In one embodiment, the analysis is done using the processdescribed in the aforementioned application Ser. No. 10/091,000, bytaking the block of records (having the suspicious pattern) andassigning reference designators for records that share certain similaror identical data fields. This analysis is particularly useful in thepresent invention, since the records are available electronically andhave already been sorted into a block of interest (i.e., country, agentnetwork, or other location).

Turning now to the drawings, FIG. 1 illustrates a money transfer system100 comprised of an interface system 125, an automated teller machine(ATM) system 145, a deposit maintenance network 150, a creditmaintenance network 160 and a central exchange 170. Interface system 125is communicably coupled to ATM system 145 via an ATM network 140,deposit maintenance network 150 and credit maintenance network 160. Ingeneral, interface system 125 unifies a variety of transfer systemswhile supporting a variety of mechanisms for introducing and receivinginformation to and/or from money transfer system 100.

Interface system 125 comprises a transaction center 130 and one or moreterminals 110 in communication via a terminal network 120. Terminalnetwork 120 can be any communication network capable of transmitting andreceiving information in relation to a transfer of value from one entityto another. For example, terminal network 120 can comprise a TCP/IPcompliant virtual private network (VPN), the Internet, a local areanetwork (LAN), a wide area network (WAN), a telephone network, acellular telephone network, an optical network, a wireless network, orany other similar communication network. In particular embodiments,terminal network 120 provides message based communications betweenterminals 110 and transaction center 130.

Terminals 110 can be any terminal or location where value is acceptedand/or provided in relation to money transfers across money transfersystem 100. Thus, in some instances, terminal 110 is at a money transferagent location, such as a convenience store where a clerk can receivevalue from a sender and initiate transfer of the value to a receiver viamoney transfer system 100. In such cases, the clerk can typically alsoprovide transferred value to a receiver.

In other instances, terminal 110 is an automated system for receivingvalue from a sender for transfer via money transfer system 100 and/orfor providing value to a receiver that was transferred via moneytransfer system 100. To accommodate various different paymentinstruments and types, terminal 110 can include a variety of interfaces.For example, terminal 110 can include a mechanism for receiving cash,credit cards, checks, debit cards, stored value cards and smart cards.Such terminals may also be used at the payout end to print a check ormoney order, or to credit a cash card or stored value card. Examples ofsuch terminals are described in U.S. Pat. No. 6,547,132 (U.S.application Ser. No. 09/634,901, entitled “POINT OF SALE PAYMENTSYSTEM,” filed Aug. 9, 2000 by Randy J. Templeton et al.), which ishereby incorporated by reference.

In yet other instances, terminal 110 is a personal computer operated bya sender of value. Such a terminal can be communicably coupled totransaction center 130 via the Internet. The terminal can furtherinclude a web browser capable of receiving commands for effectuatingtransfer of value via money transfer system 100.

Terminal identification information can be associated with each terminal110. Such identification information includes, but is not limited to, aphysical location, a telephone number, an agent identification number, aterminal identification number, a security alert status, an indicationof the type of terminal, a serial number of a CPU, an IP address, thename of a clerk, and the like.

Terminals 110 may also be operated in agent networks, i.e. a pluralityof terminals at different locations may operated by the same agententity. There could many such agent networks within system 100 atlocations around the world.

Using money transfer system 100, value can be transferred from any of anumber of points. For example, value can be transferred from terminal110 to itself or any other terminal 110, from any terminal 110 to adeposit account via deposit maintenance network 150 or creditmaintenance network 160, from any terminal 110 to any ATM 114 via ATMnetwork 140. Many other transfers to/from ATMs 114, deposit accounts,terminals, and/or credit accounts can be accomplished using moneytransfer system 100. The ATM system 145 is only illustrative, it beingunderstood that such a system is merely one of many possible optionalmeans for money to be conveniently transferred/received without the useof conventional, agent-operated money transfer terminals, and thetransfer of money within system 100 may or may not involve the use ofATMs 114.

Referring to FIG. 2, a fraud watch system 210 is provided incommunication with transaction center 130 of money transfer system 100.As illustrated, transaction center 130 includes a network processor 132to process data received and transmitted via terminal network 120. Datato/from network processor 132 is available to a host 133 that maycommunicate with one or more of a value translator 135, a transactiondatabase 136, a settlement engine 137 and a messaging engine 138 toperform functions associated with transferring value via money transfersystem 100. In turn, messaging engine may communicate with a messagetranslator 139. The data received and/or provided by transaction center130 may include information on the sender, information on the recipient,identification information associated with the sender (e.g., type of IDpresented, driver's license number, etc.) or with the terminal 110(terminal ID number), the type and amount of value transferred, adesired location to transfer the value, and the like. In some cases, avalue translator 135 may be used to change the type of value. Forexample, value translator 135 may do a foreign currency conversion, ormay transfer from one type of value to another, e.g. frequent flyermiles to United States Dollars. All information that is processed mayconveniently be stored in transaction database 136.

Settlement engine 137 may be used to facilitate the crediting anddebiting of various accounts during a transfer. For example, if a senderrequests that funds from a credit card account be used in the transfer,settlement engine 137 is used to contact credit maintenance network 160to charge the card and to manage the fees involved in the transaction.Such fees may be those charged by the credit organization as well asinternal fees that are a part of the money transfer transaction.Settlement engine 137 may be used in a similar manner when crediting ordebiting checking accounts, stored value accounts, customer loyalty(e.g., frequent flyer) accounts and the like.

In some cases, the sender may also wish to send a message with thevalue. Such a message may be a simple greeting, business or legal terms,and the like. Messaging engine 138 is employed to convert the message tothe proper format depending on the type of output device that is to beused with receiving the money. For example, the output device may be aprinter that physically prints the message onto some type of media.Alternatively, the message may be temporarily displayed on a displayscreen, such as on a kiosk, ATM machine, point of sale device, ane-mail, a web page or the like. The sender or recipient may alsoindicate that the message needs to be translated to a differentlanguage. In such cases, message translator 139 may be used to translatethe message into the other language. This may be accomplished by simplydoing a word look up for each corresponding word in the other language.More complex language translation capabilities may also be used.

Once a value transfer is properly processed, data indicating thetransfer is sent by a switch 134 to the appropriate network as shown.This may be to ATM network 140, deposit maintenance network 150 and/orcredit maintenance network 160 to complete the transaction.

A monitoring or fraud watch system 210 includes a fraud processingserver 220 and a watch database 230. Fraud watch system 210 isassociated with transaction center 130 in a manner that allows foraccess to transaction database 136. Such association can be provided bydirect wired communication between transaction database 136 and fraudprocessing server 220, by direct or network communication betweentransaction center 130 and fraud processing server 220, or by any othermechanism that provides fraud watch system 210 with access totransaction database 136. In one particular embodiment, fraud processingserver 220 is communicably coupled to terminal network 120 and accessestransaction database 136 via network processor 132 and host 133. Inanother embodiment, fraud processing server 220 is directly coupled tohost 133 and accesses transaction database 136 via host 133. It will berecognized by one of ordinary skill in the art that a number of othermechanisms exist within the scope of the present invention for providingaccess by fraud processing server 220 to transaction database 136.

Fraud processing server 220 can be a microprocessor based device capableof retrieving data from transaction database 136, searching andmanipulating the data, maintaining a form of the data on watch database230, and providing access to data at database 230. Such access to thedata can include formatting the data and providing the data in an easilyaccessible form. In some embodiments, fraud processing computer is asingle computer, such as a personal computer or a database server. Inother embodiments, fraud processing server is a group of two or morecomputers. In such embodiments, fraud processing computer can include acentral computer associated with one or more peripheral computers. Suchperipheral computers can be personal computers or portable devices, suchas lap top computers and/or personal digital assistants. In a particularembodiment, fraud processing server 220 includes a SQL server, while inother embodiments, it includes an ORACLE server.

Fraud processing server 220 includes a computer readable medium capableof maintaining instructions executable to perform the functionsassociated with fraud processing server 220. The computer readablemedium can be any device or system capable of maintaining data in a formaccessible to fraud processing server 220. For example, the computerreadable medium can be a hard disk drive either integral to fraudprocessing server 220 or external to the server. Alternatively, thecomputer readable medium can be a floppy disk or a CD-ROM apart fromfraud processing server 220 and accessible by inserting into a drive(not shown) of fraud processing server 220. In yet other alternatives,the computer readable medium can be a RAM integral to fraud processingserver 220 and/or a microprocessor (not shown) within the server. One ofordinary skill in the art will recognize many other possibilities forimplementing the computer readable medium. For example, the computerreadable medium can be a combination of the aforementioned alternatives,such as, a combination of a CD-ROM, a hard disk drive and RAM.

Referring to FIG. 3, an overall process is illustrated for completingmoney transfers and then evaluating money transfer records forsuspicious money transfer patterns. Many of the steps in the process arecontrolled by fraud processing server 220. In addition, the storage ofrecords for the evaluation may be at watch database 230. This permitsmoney transfer records to be evaluated separately from the moneytransfer operations performed at the transaction center 130, thusimproving performance and minimizing operational impact on the host 133and transaction database 136.

As illustrated in FIG. 3, the operator of the money transfer system 100receives a request at a terminal 110 (e.g., agent operated terminal)from a sender to make a money transfer (step 310). The money transfer iscompleted (step 312), so that money may be picked up by the recipient(e.g., at a money transfer agent location as described earlier), and arecord of the transfer stored at transaction database 136 (step 314). Atpredetermined intervals (e.g., at the end of each business day so as tominimize impact on actual money transfer operations), the records arereadied for evaluation by parsing and stripping the records of data thatis deemed not useful in the evaluation (step 316). In one embodiment,transactions of $500 or less are removed from the records since smallertransactions may be deemed not likely involved in fraudulent or criminalactivity. However it should be appreciated that the amount of datastripped from the records can be large, little or none, depending on thepreferences of the system operator.

At step 320, the parsed and stripped records are batched by host 133 andtransaction database 136, and then are transferred for storage andprocessing at the server 220 and database 230 (step 322). While parsingand stripping are illustrated as performed at host 133 (this couldreduce the amount of data needing to be stored at watch database 230),it should be appreciated the entire money records from transactiondatabase 136 could be transferred to server 220 and database 230, withparsing and stripping steps then performed at server 220 after thetransfer.

The records are then evaluated for indications of suspicious orirregular patterns (step 324), as will be described below in conjunctionwith FIG. 4. If a suspicious pattern is indicated, those blocks ofrecords having the suspicious patterns are identified or reported to thesystem operator (step 330) and subjected (step 332) to further analysis,e.g., at server 220, to identify individual records that may befraudulent, criminal, or otherwise improper (as will be described inconjunction with FIG. 6).

Referring to FIG. 4, one embodiment is illustrated for carrying out theidentification of suspicious money transfer patterns (collectivelyreferred to above as step 324 in FIG. 3). As seen, at step 410 specificblocks of records stored at watch database 230 are retrieved and sortedby fraud processing server 220 for evaluation. The blocks are formed sothat all records within the block have a common characteristic usefulfor evaluation. In the embodiment of FIG. 4, the characteristic islocation related, i.e., the system operator chooses records for aspecific country or for a specific agent network. In some cases, themoney transfer records from a selected country may be large, so theblock may be made smaller and more manageable by choosing all recordsfor a country corridor (i.e., transfers from one selected country to asecond selected country). Other possible characteristics (locationrelated or otherwise) could be used to create each block for evaluation.

Next, the system takes all records within each block and aggregates thedata in selected fields of the records (to create collective value foreach field), according to selected secondary categories orcharacteristics (step 412). As one example (to be described later inconjunction with FIG. 5 a), the system may look at each record in theselected block of records (Mexico) and check the field of each recordfor the transaction amount. A count is provided for the number oftransactions falling into each of several transaction value bands foreach agent within Mexico.

At step 420, the server 220 compares the aggregated category/secondarycharacteristic data to predetermined red flag or threshold values, andprovides a report (step 430) of any patterns that are potentiallysuspicious. The report can also include a simultaneous comparison of thesame data to previous periods (step 422). Comparisons to previousperiods (e.g., previous week, previous month) are useful when the system210 is being used to monitor agent networks for compliance with policiesand procedures (increasingly irregular data patterns may indicate a needfor compliance training, and improving data patterns may indicate thesuccess of a recent compliance program).

Referring to FIG. 5 a, the money transfers made at various agentlocations for one data block (Mexico) are shown. The agent identifiers(Agent 1, Agent 2, etc.) may each represent a single agent or representa group of agents operating in a single agent network. As can be seen,Agent 1 has a disproportionately large number (75) of transactionsfalling within the range of $2800-2900, and Agent 4 has adisproportionate number (30) of very large transactions in excess of$10000. At step 420, the server 220 may be programmed to identify andreport any agent having more than 50% of transactions in the $2800-2999band (such as Agent 1), and any agent having more than 25% oftransactions in the Over $10000 band (such as Agent 4). In view of thesuspicious patterns, the transactions of those agents (or the entireblock) can then be further evaluated for determining whether individualtransactions within the block are likely to have resulted from improperactivity (step 332, FIG. 3).

Another example of evaluating a block of records is seen in FIG. 5 b, inthis instance using time-of-day data collected at the time a moneytransfer is requested. As seen, for all agents in Mexico on a givendate, those money transfer requests made both within normal agentbusiness hours (e.g., 7 AM to 11 PM) and outside normal business hours(11 PM to 7 AM) are reported. As can be seen, Agent 2 has an irregularlyhigh number of outside normal business hour transfers (91), which mayindicate, for example, use of the system by criminals to transfer moneyat times to avoid day time scrutiny, or failure of individual agents torecord the proper, actual time of transfers. The block of transfers canbe further analyzed (e.g., using the process to be described withreference to FIG. 6), and either suspicious individual transactionsidentified, or the agent required to undergo compliance training as tothe proper process for time stamping transactions.

As mentioned earlier, there are many possible characteristics that canbe considered in aggregating data for suspicious patterns and comparisonto red flags/thresholds. The following describes examples of suchcharacteristics, it being understood that such description is notintended to be limiting:

Country Corridor Characteristics

For a given country, various characteristics of transactions to othercountries can be evaluated, such as total number of transactions, totalmonetary amount of all transactions, the smallest and largesttransactions, and the ratio of payees to senders. Past experience canlead to developing threshold values that represent an unusual level ofactivity. An aggregated value for any characteristic that exceeds thethreshold represents a suspicious pattern.

As an example, these characteristics may be evaluated for all dailymoney transfers from the U.S. to each of several dozen other countries,including Nigeria. A high ratio of payees to senders for transfers fromthe U.S. to Nigeria (as compared to transfers from the U.S. to othercountries) may indicate that large amounts of money are beingdistributed to Nigeria using many money transfers in smaller amounts, inan attempt to launder money.

Agent Characteristics

For each agent within one sending country, the total number oftransactions, total monetary amount of all transactions, or the totalnumber of payees/recipients that exceed predetermined thresholds mayrepresent an unexpectedly high level of activity by one agent, and hencea suspicious pattern.

Agent to Agent Characteristics

The number of transactions (within one sending country) from eachsending agent to each receiving agent might represent (if exceeding apredetermined threshold) a suspicious pattern, due to an attempt by asending agent to steer transactions to a pick-up location or agentchosen or preferred by the sending agent, rather than chosen by thesender. Compliance training for the sending agent may be warranted.

Consumer Characteristics

For a given country, and for each sender, the total number oftransactions, the total monetary amount of all transactions, and thetotal number of payees may indicate a pattern of senders attempting tolaunder money by transferring large amounts of money to multiplepayees/recipients.

Biographical Characteristics

These characteristics include the nature of the sender's ID (photo or nophoto), social security number, phone number, and so forth. Anyaggregation that exceeds a threshold may represent an irregular orsuspicious pattern. As an example, a large number of transactions usingone social security number may indicate a suspicious pattern. As anotherexample, a high percentage of transactions (e.g., 80%) completed by onesending agent without photo IDs being presented by the sender may be asuspicious pattern and indicate compliance training for that agent iswarranted.

Once a block of data had been identified as having potentiallysuspicious patterns, that block (or, if desired, a selected subset ofthe block) is then subject to further analysis at step 324 (FIG. 3), toeither identify individual transactions that are suspicious, or todetermine that the patterns are harmless. Many methods can be used toperform this further analysis. For example, the analysis could bemanual, with a trained analyst reviewing records individually to findthose that appear to be part of fraudulent or criminal activity.However, in most cases, the records in a suspicious block may be manythousand or more (since it may represent, for example, all transactionon a given day across an entire country), and so a process involvingmore automated steps can be used.

One such process for analyzing individual records in shown in FIG. 6,and is described also in aforementioned application Ser. No. 10/091,000.Basically, the process groups transfer records together that haveidentical (or nearly identical) data fields. For example, if a number oftransfers have the same sender name, same recipient name, same recipientphone number, or other sender or recipient identifying data, they arecollected and given a single reference designator. In some embodiments,depending on the number of the records under a single designator, therecords can be further analyzed manually or further sorted or grouped byfraud processing server 220 to provide an analyst with specifictransactions (e.g., under a single reference designator) that could befraudulent.

This is illustrated in FIG. 6, where a block of records (i.e., a blockhaving a suspicious pattern, such as the pattern in FIG. 5 aor FIG. 5 b)is provided to the fraud processing server 220 (step 601). Each recordis pulled from the block (step 606) and compared to records grouped inany existing reference designator (step 611). In other words, if recordshave already been analyzed and assigned a reference designator becauseof identical fields, the record in question is compared to the recordsin those existing designators for matches. If there is a match (step616) then the record in question is associated (step 621) with thematched record designator (i.e., the record is grouped or clustered withthe other records already grouped together under a single referencedesignator), and a time stamp (indicating the time/date of the mostrecent transaction within the reference designator) is updated (step626). If there is no match, then the record is given its own referencedesignator and a time stamp (steps 631, 636, 641, 646), and is added tothe list or set of reference designators for comparison to additionalrecords, if any remain to be checked (step 651).

Each reference designator (cluster of money transfer records) can thenbe searched or analyzed (step 656) to identify specific sender names,specific recipient names or other identifying data associated withlikely fraudulent or criminal activity. This final analysis can be donemanually or may involved automated checking (using fraud processingserver 220) of the common data fields in reference designator listsagainst known suspect user names or other identifiers.

As should be apparent, methods other than that described above areavailable for analyzing blocks of records having suspicious patterns, asrepresented by step 324 in FIG. 3. For example, an analysis method couldbe used as described in U.S. application Ser. No. 10/434,409, entitled“SYSTEMS AND METHODS FOR GRADUATED SUSPICIOUS ACTIVITY DETECTION,” filedMay 7, 2003 by Robert G. Degen et al., which is hereby incorporated byreference. Under such analysis method, transactions are groupedaccording to affinities between transactions (e.g., common data points,such as sender names), and with increasing levels of scrutiny in orderisolate suspect money transfers.

While a detailed description of presently preferred embodiments of theinvention has been given above, various alternatives, modifications, andequivalents will be apparent to those skilled in the art without varyingfrom the spirit of the invention.

Therefore, the above description should not be taken as limiting thescope of the invention, which is defined by the appended claims.

1. A method for evaluating electronic money transfers, comprising:electronically storing records of money transfer requests, wherein eachrecord is associated with a money transfer request and has at least twodata fields, a first data field representing a first characteristic ofthe money transfer request and a second data field representing a secondcharacteristic of the money transfer request; sorting the money transferrecords to create at least one data block, wherein all records in thedata block have the same first characteristic; calculating a collectivevalue of the second characteristic of all the records in the data block;comparing the collective value against a predetermined threshold value,threshold value chosen to represent potentially irregular money transfertransactions; indicating a potentially irregular money transfer patternif the collective value meets the threshold value; and analyzingindividual records within the block for irregular money transfers if anirregular money transfer pattern has been indicated.
 2. The method ofclaim 1, wherein the first characteristic is related to the location ofthe money transfer request.
 3. The method of claim 2, wherein the firstcharacteristic is the country where the money transfer request in made.4. The method of claim 2, wherein the first characteristic is the agentnetwork receiving the money transfer request.
 5. The method of claim 2,wherein the second characteristic is related to the value of the moneytransfer request.
 6. The method of claim 5, wherein the value of eachmoney transfer request is assigned to one of a plurality of value bands,each band representing a predetermined range of transferred monetaryamounts, and wherein the collective value represents the number of moneytransfer requests having transferred monetary amounts falling within oneof the value bands.
 7. The method of claim 6, wherein predeterminedrange has an upper limit below $3000.
 8. The method of claim 7, whereinpredetermined range has a lower limit above $2800.
 9. The method ofclaim 2, wherein the second characteristic is related to the time-of-dayof each transaction.
 10. The method of claim 9, wherein the secondcharacteristic is related to whether the transaction is during normalbusiness hours or outside normal business hours, wherein the collectivevalue is the total number of transactions outside normal business hours,and wherein the threshold value is a percentage of the transactionsoutside normal business hours in relation to the total number oftransactions.
 11. The method of claim 10, wherein the comparing stepcompares, for each of a plurality of agents, the collective value of thetotal number of transactions outside normal business hours to thethreshold value.
 12. The method of claim 2, wherein the secondcharacteristic is chosen from a group consisting of: transaction valueband characteristics; country corridor characteristics; agentcharacteristics; agent to agent characteristics; consumercharacteristics; and biographical characteristics.
 13. The method ofclaim 1, wherein the electronic records are stored at a money transfersystem, wherein the stored records are transferred to a monitoringsystem programmed for carrying out the steps of sorting the moneytransfer records, calculating a collective value for the secondcharacteristic of all the records in the data block, comparing thecollective value of the second characteristic against a predeterminedthreshold value, indicating a potentially irregular money transferpattern if the collective value of the second characteristic of allrecords in the data block meets the threshold value, and analyzingindividual records within the data bock for irregular money transfers,and wherein the threshold value is a red flag threshold selected by theoperator of the money transfer system based on experience.
 14. Themethod of claim 1, wherein the money transfer records include a firstsender identification associated with a first money transfer request andat least a second sender identification associated with a second moneytransfer request, and wherein the step of analyzing individual recordscomprises: performing an analysis of the records, wherein the analysisindicates the first sender identification and the second senderidentification are related; creating a reference designator, wherein thereference designator is associated with records having the related firstand second sender identifications; and searching the records associatedwith the reference designator to determine if any of records aresuspicious money transfer requests.
 15. The method of claim 14, whereinthe step of searching includes searching the records to determine if anyof the money transfer requests are by a known suspicious user.
 16. Amethod for evaluating electronic money transfers, comprising: receivinga plurality of money transfer requests; electronically storing recordsof the money transfer requests, wherein each record is associated withone money transfer request and has data that defines characteristics ofthat money transfer request, including at least an locationcharacteristic relating to the location where the money transfer requestwas made and a transaction characteristic relating to a characteristicother than location; sorting the money transfer records into at leastone block, wherein all records in the block have the same locationcharacteristic; aggregating the transaction characteristic of all therecords in the block to arrive at a collective value for the transactioncharacteristic; defining a red flag threshold level for the collectivevalue, the threshold level chosen to represent, if met, a suspiciousmoney transfer pattern; comparing the collective value for thetransactional characteristics with the threshold level; indicating asuspicious money transfer pattern if the collective value for thetransaction characteristic meets the threshold level; and analyzingindividual records within the block if a suspicious money transferpattern has been indicated.
 17. A system for evaluating money transferrecords, comprising: a database for storing a plurality money transferrecords, each record having a plurality of data fields relating to themoney transfer, including a first field relating to a characteristic ofthe location where the money transfer was requested and a second fieldrelating to a transaction characteristic not related to location; afraud processing server for evaluating the money transfer records, thefraud processing server programmed to: sort the money records into oneor more blocks of records, each block having the same characteristic inthe first field; aggregate the data in the second field of the recordsin the block to obtain a collective value of the characteristics in thesecond field; compare the collective value to a threshold value, whereinthe threshold level is chosen to represent, if met, a suspicious moneytransfer pattern; and indicating a suspicious money transfer pattern ifthe collective value meets the threshold value, so that the block ofrecords can be further analyzed to identify suspicious individual moneytransfers.
 18. The system of claim 17, wherein the characteristic in thefirst field identifies the country where the money transfer request inmade.
 19. The system of claim 17, wherein the characteristic in thefirst field identifies the agent network processing the money transferrequest.
 20. The system of claim 17, wherein the characteristic in thesecond field identifies the value of the money transfer request.
 21. Thesystem of claim 17, wherein the characteristic in the second fieldidentifies the time-of-day of each transaction.
 22. The system of claim17, wherein the characteristic in the second field is chosen from agroup consisting of: transaction value band characteristics; countrycorridor characteristics; agent characteristics; agent to agentcharacteristics; consumer characteristics; and biographicalcharacteristics.
 23. The system of claim 17, wherein the database is afraud watch database, wherein records are collected and stored by a hostcomputer and an associated transaction database within an money transfersystem in response to money transfer requests by senders of moneytransfers, and wherein the fraud watch database and fraud processingserver are separate from the host computer and transaction database, inorder to minimize operational impact on the host computer andtransaction database.